How hospitals can migrate to the cloud securely

Cloud is an attractive option for cash-strapped care providers, but security must remain top of the agenda

The healthcare industry has been slower to embrace the cloud than other sectors, but amid growing cutbacks on IT resources, providers are increasingly attracted by cloud cost efficiencies.

Like any other business, hospitals must ensure they implement data security best practices in their migration strategies, especially given the extreme sensitivity of patient data and that the sector is one of the biggest victims of data breaches (accounting for 25 percent of breaches reported in 2018).

In this Q+A, Todd Matters, chief architect and co-founder of RackWare, outlines cloud migration best practices for healthcare organisations.

Why are hospitals increasingly moving to the cloud?

Hospitals are increasingly moving to the cloud because of the flexibility and scalability that it provides, along with its responsiveness. Hospital-based applications and IT, in particular, were slow moving. It took a long time to upgrade systems and add additional capacities. So, finding the right applications to move to the cloud is a giant step forward for these kinds of industries.

What sort of workloads are hospitals moving there, and what are their typical cloud strategies?

As with any application, the workloads that require the least security are best to move to the public cloud first. Ideally, these are workloads with a lower transaction rate — or maybe they are read-only, like a list of contacts, for example. Those are the ideal applications to move to the cloud initially. Over time, hospitals can move more sensitive applications once their cloud strategy is proven and they’ve been able to tweak it in terms of capacity, security, and growth.

Is the pressure to cut costs and migrate to the cloud putting patients’ data at risk?

There is tremendous pressure to cut costs. We see this in healthcare and other industries, as well. IT computing costs have grown to meet the needs of larger datasets. Combine that with higher requirements on the physical side of things for data centres, and there is no doubt people have to move to the cloud.

Even with these cuts, the move to the cloud is not putting information at risk substantively beyond those in the data centre. The reason for this is that the same level of security and protections that you put in place for your data centre, need to be put in the cloud. Additionally, cloud environments today are highly secure. Providers have been doing this for a long time. Clouds, in some ways, are as secure – if not more secure – than conventional data centres.

What is the best cloud strategy for hospitals so that patients’ information is as secure as possible?

From a security perspective, there are three things to think about. First, hospitals need to ensure that their production data on the origin side is secure. Second, they must plan how they are going to securely transfer the data to the DR site. All companies, including hospitals, need security mechanisms in place to protect the data while it’s in transit. Third, hospitals need to make sure they have the proper security in place in the actual DR site. To have an optimal cloud strategy, hospitals need all three of those pieces. Those components need to work together, while also being secure and independent of one another.

Before a hospital begins a cloud migration process – what procedures must it enact to ensure it has protected itself against attacks?

In order to protect themselves from attacks and breaches, hospitals need to not only think about the three cloud strategy pieces, but also the origin environment, data transfer, and the target environment as well as ensuring the right controls are in place.

Additionally, hospitals need a layered approach to security. They can’t just have one layer that protects them; healthcare providers need multiple. That way, even if somebody could get through one of the layers, they immediately run into a significant inhibitor that will discourage and prevent them from getting closer to protected information.